US government saw the tremendous usage of commercial operating systems in mid 1980’s , it proposed a standard related to operating system security. Security was one of the major / key role in order to manage the data , this is not specific to single organization because different organizations has different set of data which they need to get secured.
Trusted Computer System Evaluation Criteria ( TCSEC ) was then brought in by US DOD , they wrote the standard which followed specific criteria to handle different levels of security and printed it with a Orange cover , since then TCSEC got its name as Orange Book.
Orange Book main objective was to evaluate the computer security with 3 major areas
a) storage of data in computer
b) Retrieval of sensitive data
Orange Book defines 4 broad hierarchies starting from A to D ( A1, B3, B2, B1, C2, C1, D) with subcategories where A being very secure and D being less secure.
DID YOU KNOW ?
Microsoft Operating systems security falls under C and B category, where in under B division Microsoft operating system only meets 2 of the required security and not all.
The four Divisions are
A Division (Verified Protection): While developing operating system to meet A1 rating , developers should keep system design and security policy has high priority , so vendor manages to design operating systems which meet A rating till date.
B Division (Mandatory Protection) : B division is sub categorized into B3, B2 and B1 respectively . These B division systems requires more testing and documentation. Windows operating system falls under B division and the component Microsoft developed is SAS .
C Division (Discrete Protection): Most of Microsoft operating systems along with LINUX falls under this division. Implementation of passwords , auditing, protection for files are some of the major factors of C division.
D Division( Minimal Security ) : Operating systems with minimal or no security falls under this division where as there are no rules defined for D division operating systems.
This article would be helpful for the architects who are designing the infrastructure with mixed operating systems and help them to evaluate the security protections supported by them.
Some Important LInks